With the rapid development of the Internet, Intranet, and network computing, applications (application programs) are distributed more and more via such networks, instead of via physical storage media. Many associated distribution technologies are available, such as Java and Active X. Therefore objects with both data and code flow around the network and have seamless integration with local computer resources. However, this also poses a great security risk to users. Code (software) from unknown origin is thereby executed on local computers and given access to local resources such as the hard disk drive in a user's computer. In a world wide web browser environment, such code is often automatically executed and the user might not even have a chance to be forewarned about any security risks (e.g. presence of computer viruses) he bears. Attempts have been made to reduce such risks; see Ji et al., U.S. Pat. No. 5,623,600, incorporated by reference in its entirety.
Active X technology, like Java, distributes code that can access local system resources directly. The web browser cannot monitor or block such accesses. Such an applet (application) can do virtually anything that a conventional program, for instance, a virus, is capable of doing. Microsoft Corp. and others have attempted to address this problem by using digital signature technology, whereby a special algorithm generates a digital profile of the applet. The profile is attached to the applet. When an applet is downloaded from the Internet, a verification algorithm is run on the applet and the digital profile to ensure that the applet code has not been modified after the signing. If an applet is signed by a known signature, it is considered safe.
However, no analysis of the code is done to check the behavior of the applet. It is not difficult to obtain a signature from a reputable source, since the signature can be applied for online. It has occurred that a person has created an Active X applet that was authenticated by Microsoft but contains malicious code. (Malicious code refers to viruses and other problematic software. A virus is a program intended to replicate and damage operation of a computer system without the user's knowledge or permission. In the Internet/Java environment, the replication aspect may not be present, hence the term "malicious code" broadly referring to such damaging software even if it does not replicate.)
Java being an interpreted language, Java code can be monitored at run-time. Most web browsers block attempts to access local resources by Java applets, which protects the local computer to a certain extent. However, as the popularity of Intranets (private Internets) increases, more and more applets need to have access to local computers. Such restrictions posed by the web browsers are becoming rather inconvenient. As a result, web browsers are relaxing their security policies. Netscape Communicator is a web browser that now gives users the ability to selectively run applets with known security risks. Again, decisions are made based on trust, with no code analysis done.
Hence scanning programs with the ability to analyze and monitor applets are in need to protect users.
At least three Java applet scanners are currently available commercially: SurfinShield and SurfinGate, both from Finjan, and Cage from Digitivity, Inc. SurfinShield is a client-side (user) solution. A copy of SurfinShield must be installed on every computer which is running a web browser. SurfinShield replaces some of the Java library functions included in the browser that may pose security risks with its own. This way, it can trap all such calls and block them if necessary.
SurfinShield provides run-time monitoring. It introduces almost no performance overhead on applet startup and execution. It is able to trap all security breach attempts, if a correct set of Java library functions is replaced. However, it is still difficult to keep track of the states of individual applets if a series of actions must be performed by the instances before they can be determined dangerous this way, because the scanner is activated rather passively by the applets.
Since every computer in an organization needs a copy of the SurfinShield software, it is expensive to deploy. Also, installing a new release of the product involves updating on every computer, imposing a significant administrative burden.
Because SurfinShield replaces library functions of browsers, it is also browser-dependent; a minor browser upgrade may prevent operation. SufinGate is a server solution that is installed on an HTTP proxy server. Therefore, one copy of the software can protect all the computers proxied by that server. Unlike SufinShield, SurfinGate only scans the applet code statically. If it detects that one or more insecure functions might be called during the execution of the applet, it blocks the applet. Its scanning algorithm is rather slow. To solve this problem, SurfinGate maintains an applet profile database. Each applet is given an ID which is its URL. Once an applet is scanned, an entry is added to the database with its applet ID and the insecure functions it might try to access. When this applet is downloaded again, the security profile is taken from the database to determine the behavior of the applet. No analysis is redone. This means that if a previously safe applet is modified and still has the same URL, SurfinGate will fail to rescan it and let it pass through. Also, because the size of the database is ever-growing, its maintenance becomes a problem over time.
Cage is also a server solution that is installed on an HTTP proxy server, and provides run-time monitoring and yet avoids client-side installations or changes. It is similar to X Windows. All workstations protected by the server serve as X terminals and only provide graphical presentation functionality. When an applet is downloaded to Cage, it stops at the Cage server and only a GUI (graphical user interface) agent in the form of an applet is passed back to the browser. The applet is then run on the Cage server. GUI requests are passed to the agent on the client, which draws the presentation for the user. Therefore, it appears to users that the applets are actually running locally.
This approach creates a heavy load on the server, since all the applets in the protected domain run on the server and all the potentially powerful computers are used as graphical terminals only. Also, reasonable requests to access local resources (as in Intranet applications) are almost impossible to honor because the server does not have direct access to resources on individual workstations.
These products fail to create any balance between static scanning and run-time monitoring. SurfinShield employs run-time monitoring, SurfinGate uses static scanning, and Cage utilizes emulated run-time monitoring. Since static scanning is usually done on the server and run-time monitoring on the client, this imbalance also causes an imbalance between the load of the server and the client. To distribute the load between the client and the server evenly, the present inventor has determined that a combination of static scanning and run-time monitoring is needed.